When does an organization need to conduct DPIA in GDPR?

Published on : 13 Sep 2021


When does an organization need to conduct DPIA in GDPR

Data Protection Impact Assessment is a mandate under the GDPR Regulation. Organizations are required to annually conduct DPIA assessments to evaluate the risk exposure and the impact that it may have on sensitive data.

 DPIA is an important part of an organization’s cyber security and privacy program. However, not all organizations are required to conduct a DPIA assessment. Only organizations that are believed to process data that may result in a high risk to data subject rights or freedom will require conducting DPIA.

 So, for a better understanding of what kind of processing activity is considered risky and requires DPIA, we have today shared some general rules and specifications outlined in the GDPR Regulation about conducting DPIA in an organization. For that let us first understand the general DPIA rule in the GDPR Regulation.

What is the general rule?

Article 35(1) under the GDPR Regulation clearly mandates the requirement of a DPIA where the processing activity is likely to result in a high risk to the rights and freedoms of individuals. The type of processing activity would mean using new technologies, and considering the nature, scope, context, and purposes of the processing that may result in a high risk to the data subject’s rights and freedoms.

So, in that case, the organization or the controller is required to conduct a Data Protection Impact Assessment to evaluate the severity of risk exposure and its impact on processing operations and protection of personal data. Let us understand what high risk means to get better clarity of the assessment requirements. 

What does ‘high risk’ mean?

Risk means potential for any significant physical, material, or non-material harm or damage to the sensitive data or individuals. The GDPR clearly states that organizations need to consider both the likelihood and severity of any potential harm to individuals. While Risk implies any probability of harm, High risk implies a higher threshold, wherein the possibility of harm is more likely, or more severe, or a combination of both.

So, assessing the likelihood of high impact is what Data Protection Impact Assessment is all about. For the initial screening purpose, it is important to determine whether the processing is of a type likely to result in a high risk. So a high-level screening test that helps determines or points at the potential for high risk needs to be evaluated.

Article 35(3) lists types of processing that automatically require a DPIA, and the ICO has published a list under Article 35(4) setting out ten more. However, this does not mean that these types of processing are always high risk, or are always likely to cause harm but it is just that there is a reasonable chance that they may be highly risky and the DPIA is required to assess the level of risk in more detail.

 If the processing activity of your organization is not described under the GDPR, Article 35(3) the ICO list then it is up to you to decide whether the processing results in high risk, taking into account the nature, scope, context, and purposes of the processing. If in doubt, it recommends that your organization conducts DPIA to ensure compliance.

free consulting

Types of processing that automatically require a DPIA

Article 35(3) states three types of a processing activity that requires a DPIA:

Systematic and extensive profiling with significant effects

“Any systematic and extensive evaluation of personal data relating to the natural persons based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”

Large scale use of sensitive data:

“Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10.”

Public monitoring:

“Systematic monitoring of a publicly accessible area on a large scale.”

Other Factors Indicating likely high risk

Article 29 working party of EU data protection authorities (WP29) published guidelines with nine criteria that act as indicators of likely high-risk processing:

  • Evaluation or scoring.
  • Automated decision-making with legal or similarly significant effects.
  • Systematic monitoring.
  • Sensitive data or data of a highly personal nature.
  • Data is processed on a large scale.
  • Matching or combining datasets.
  • Data concerning vulnerable data subjects.
  • Innovative use or applying new technological or organizational solutions.
  • Preventing data subjects from exercising a right or using a service or contract.

In most cases, a combination of two factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present. Either way, conducting DPIA is considered a good practice and is recommended for all in general. 

What does the ICO consider the high risk?

The ICO published a list of processing operations that require a DPIA. This list complements and further specifies the criteria referred to in the European guidelines. Some of these operations require a DPIA automatically, and some only when they occur in combination with other items, or any of the criteria in the European Guidelines mentioned above-  

Innovative technology

If there is any processing activity that involves using innovative technologies or the novel application of existing technologies (including AI) DPIA is required. The assessment is required if the processing is combined with any of the criteria from the GDPR guidelines as well.

Denial of service

Decisions about an individual’s access to a product, service, opportunity, or benefit based on automated decision-making (including profiling) or involves the processing of special category data will require DPIA evaluation.

Large-scale profiling

Any profiling of individuals that is performed on a large scale will require undergoing DPIA assessment.

Biometrics

Any processing of biometric data whether individually or combined with any of the criteria from the GDPR guidelines will require DPIA.

Genetic data

Processing of genetic data, other than that processed by an individual GP or health professional for the provision of healthcare directly to the data subject when combined with any of the criteria from the European guidelines will require the performance of the assessment.

Data matching

In case of combining, comparing, or matching personal data obtained from multiple sources.

Invisible processing

Processing of personal data that has not been obtained directly from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort DPIA will be required, especially where processing is combined with any of the criteria from the European guidelines.

Tracking

Data processing activity that involves tracking an individual’s geolocation or behavior, including but not limited to the online environment DPIA assessment is required. This would also be the case where this processing is combined with any of the criteria from the European guidelines.

Targeting of children or other vulnerable individuals

The data processing activity is concerning the personal data of children or any vulnerable individuals for marketing purposes, profiling, or other automated decision-making, or if you intend to offer online services directly to children.

Risk of physical harm

In cases where the processing is of a nature that could possibly result in a data breach that could jeopardize the health or safety of individuals.

Conclusion

Data Controllers and Processors must be aware of the criteria listed above to determine whether or not DPIA is applicable for their data processing activities. Further, you should also be aware of the list published by data protection authorities in other EU for the types of data processing that require a DPIA in their jurisdiction.

 But, in general, our experts at VISTA InfoSec recommend Data Controllers and Processors to conduct DPIA irrespective of whether their processing activities fall in the above list. This is because the assessment in general is seen as a good security practice that helps prevent any incidents of breach or exposure to any kind of risk.  So, if your organization is looking to perform a DPIA and requires guidance for the same you can reach out to us for consultation and guidance at info[@]vistainfosec.com. To know more about our GDPR Consulting, Advisory and Audit services, click on www.vistainfosec.com 

VISTA InfoSec is a global cybersecurity consulting firm having years of experience (since2014) in regulatory, compliance, and governance. We have been helping organizations around the globe in their efforts of GDPR Compliance. So, with us, you can rest assured of a hassle-free compliance process. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.